trunk: add mls constraints to dbus.

2008-01-03 20:37:25 +00:00 · 2008-01-03 20:37:25 +00:00 · 936f286c16
commit 936f286c16
parent 9323a50bcc
3 changed files with 51 additions and 2 deletions
--- a/policy/mls
+++ b/policy/mls
@ -570,8 +570,13 @@ mlsconstrain xinput { setattr relabelinput }
 # MLS policy for the dbus class
 #
 mlsconstrain dbus { send_msg }
 	(( l1 eq l2 ) or
 	 ( t1 == mlsdbussend ) or
 	 ( t2 == mlsdbusrecv ));
 # these access vectors have no MLS restrictions
-# dbus { acquire_svc send_msg }
+# dbus { acquire_svc }
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@ -859,3 +859,44 @@ interface(`mls_db_downgrade',`
 	typeattribute $1 mlsdbdowngrade;
 ')
 ########################################
 ## <summary>
 ##      Make specified domain MLS trusted
 ##      for sending dbus messages to 
 ##	all levels.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`mls_dbus_send_all_levels',`
       gen_require(`
               attribute mlsdbussend;
       ')
       typeattribute $1 mlsdbussend;
 ')
 ########################################
 ## <summary>
 ##      Make specified domain MLS trusted
 ##      for receiving dbus messages from 
 ##	all levels.
 ## </summary>
 ## <param name="domain">
 ##      <summary>
 ##      Domain allowed access.
 ##      </summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`mls_dbus_recv_all_levels',`
       gen_require(`
               attribute mlsdbusrecv;
       ')
       typeattribute $1 mlsdbusrecv;
 ')
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@ -1,5 +1,5 @@
-policy_module(mls,1.6.0)
+policy_module(mls,1.6.1)
 ########################################
 #
@ -61,3 +61,6 @@ attribute mlsfduse;
 attribute mlsfdshare;
 attribute mlstranslate;
 attribute mlsdbusrecv;
 attribute mlsdbussend;